makiri 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b0cf63c9d861e721a52064dccc929db0a8f823d485f69854f07d90b805913db0
-  data.tar.gz: 989e0d0b1430b202147cd4f0fec411d0377114f34ae380217b683b6b63d031e6
+  metadata.gz: 30e3037756fec29474a8fb0c62e38d06a3337bba9c3ad844e6bdcfc02cff5026
+  data.tar.gz: 5b2f2a2887019261a359a64c35bddd36eb076a8c6a4f145c1a2ec1d84f679be6
 SHA512:
-  metadata.gz: 13598e1f45341c8fed3924da8bbe913cf55ef5c1b9256193db18ae3cf2bb9ae0f4816370d8ca569139b33e7194aced65656c1314989b882ea612a44e3750e84b
-  data.tar.gz: 71c9da99e6f26fb8a034efba1d0642b37cdcd3ddf212c6f977ad3c868b104162ca86f0c721606024286a06c858326508e41c8624687c03fa3d7a205461926faf
+  metadata.gz: 2b6bf4ed94ae428e23bcb3af8ec71febda16c83c5187ffb8cadd3698327681d951ead4b68d7df78328e8eeeec82a09de310d862cd110323c2874ac1fb0adf62c
+  data.tar.gz: 9ebd0a7562d7ff5541ead1e61f4dae1719257b29ff8cf4414e5ca2c23e2c708849c360b26471fc132bebd0ddd9cd5866ec11ab44aec4ac4044cdba10958a1038

data/.github/workflows/conformance.yml

@@ -57,6 +57,15 @@ jobs:
       - name: CSS Selectors differential vs Nokogiri::HTML5
         run: bundle exec rake conformance:css
 
+      - name: XML XPath 1.0 differential vs Nokogiri::XML
+        run: bundle exec rake conformance:xpath_xml
+
+      - name: XML CSS-selector differential vs Nokogiri::XML
+        run: bundle exec rake conformance:css_xml
+
+      - name: XML Builder differential vs Nokogiri::XML::Builder
+        run: bundle exec rake conformance:builder
+
   # Nightly: a wide XPath differential sweep across many seeds and a high
   # generated volume, to surface divergences the curated corpus and a single
   # seed miss. Fails fast (bash -e) on the first real divergence.
@@ -92,3 +101,16 @@ jobs:
             XPATH_ARGS="--generate 20000 --seed ${seed}" bundle exec rake conformance:xpath
             echo "::endgroup::"
           done
+
+      # The W3C XML conformance suite fetches its (pinned) test corpus on first
+      # run, so it lives in the nightly rather than on every PR.
+      - name: XML 1.0 well-formedness vs the W3C XML Conformance Test Suite
+        run: bundle exec rake conformance:xmlconf
+
+      # Property-based tree differential: generated documents, Makiri's parsed
+      # tree + canonical output vs Nokogiri::XML. Scalable volume - nightly gets
+      # a much larger batch than the resident in-suite PBT specs.
+      - name: XML property-based tree differential vs Nokogiri::XML
+        run: bundle exec rake conformance:xml_pbt
+        env:
+          PBT_ARGS: "--count 20000"

data/.github/workflows/libfuzzer.yml

@@ -0,0 +1,83 @@
+name: libFuzzer
+
+on:
+  # Nightly: libFuzzer runs are coverage-guided and long-running; they complement
+  # the PR-level short fuzz (30s) and the nightly sanitizer fuzz (300s per target).
+  # We run them on a schedule because the coverage signal needs sustained CPU
+  # time to reach deep branches (e.g. DOCTYPE quote/bracket state machine,
+  # reference expansion boundaries).
+  schedule:
+    - cron: "0 3 * * *"
+  workflow_dispatch:
+
+jobs:
+  # Build the libFuzzer harnesses under clang with -fsanitize=fuzzer,address
+  # and run each target for 300s.  The corpus is stored as a build artifact so
+  # it can be seeded in subsequent runs (regression asset per the roadmap).
+  libfuzzer-nightly:
+    name: libFuzzer ${{ matrix.target }} (clang)
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [xml, xpath]
+
+    steps:
+      - name: Checkout (with vendored Lexbor submodule)
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Ensure cmake is available
+        uses: lukka/get-cmake@latest
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+
+      # Build the vendored Lexbor first (plain mode is fine; the harness links
+      # the static archive).  The fuzzer binary itself is built with ASan.
+      - name: Compile the extension (builds Lexbor)
+        run: bundle exec rake compile
+
+      - name: Install clang
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clang
+
+      - name: Build libFuzzer harnesses
+        run: |
+          cd ext/makiri/fuzz
+          make clean
+          make all
+
+      # Restore the previous corpus so the fuzzer starts from the accumulated
+      # regression seeds rather than from scratch.
+      - name: Restore corpus cache
+        uses: actions/cache@v4
+        with:
+          path: ext/makiri/fuzz/corpus/${{ matrix.target }}
+          key: libfuzzer-corpus-${{ matrix.target }}-${{ github.run_id }}
+          restore-keys: |
+            libfuzzer-corpus-${{ matrix.target }}-
+
+      - name: Run libFuzzer ${{ matrix.target }} (300s)
+        run: |
+          mkdir -p ext/makiri/fuzz/corpus/${{ matrix.target }}
+          cd ext/makiri/fuzz
+          ./${{ matrix.target }}_fuzz \
+            -max_total_time=300 \
+            -max_len=4096 \
+            -print_final_stats=1 \
+            corpus/${{ matrix.target }}
+
+      # Save the mutated corpus as an artifact for download / seeding.
+      - name: Upload corpus artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: libfuzzer-corpus-${{ matrix.target }}
+          path: ext/makiri/fuzz/corpus/${{ matrix.target }}
+          retention-days: 7

data/.github/workflows/security.yml

@@ -70,12 +70,71 @@ jobs:
           bundler-cache: true
 
       - name: Run short fuzz under sanitizers
-        run: bundle exec rake fuzz:sanitize FUZZ_ARGS="--isolated --time 30"
+        run: bundle exec rake fuzz:sanitize FUZZ_ARGS="--time 30"
+
+  # macOS-only malloc-leak gate: ASan everywhere runs with detect_leaks=0 (Ruby
+  # and Lexbor are uninstrumented), so this is the ONLY automated leak check. It
+  # flags per-call leak stacks through the extension, including on rescued
+  # failure paths (see script/check_leaks.rb).
+  security-leaks:
+    name: Malloc-leak gate (macOS leaks)
+    runs-on: macos-latest
+    if: github.event_name != 'schedule'
+    steps:
+      - name: Checkout (with vendored Lexbor submodule)
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Ensure cmake is available
+        uses: lukka/get-cmake@latest
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
 
+      - name: Run the leak gate
+        run: bundle exec rake leaks
+
+  # OOM-injection sweep: rebuilds with MAKIRI_ALLOC_INJECT=1 and fails each core
+  # C allocation site in turn, gating that every OOM branch fails closed - a
+  # clean exception or a baseline-identical result, never truncated output
+  # (see script/check_alloc_failures.rb).
+  security-alloc-inject:
+    name: OOM-injection sweep
+    runs-on: ubuntu-latest
+    if: github.event_name != 'schedule'
+    steps:
+      - name: Checkout (with vendored Lexbor submodule)
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Ensure cmake is available
+        uses: lukka/get-cmake@latest
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+
+      - name: Run the OOM-injection sweep
+        run: bundle exec rake oom
+
+  # Nightly: fuzz EVERY target (the 30s PR fuzz covers only the default xpath
+  # target; the CSS engine reuse and the XML parser/mutator are each their own
+  # documented memory-safety risk, so each gets a full 300s run).
   security-fuzz-nightly:
-    name: Nightly sanitized fuzz
+    name: Nightly sanitized fuzz (${{ matrix.target }})
     runs-on: ubuntu-latest
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [xpath, css, xml, mutate, xmlcss]
     steps:
       - name: Checkout (with vendored Lexbor submodule)
         uses: actions/checkout@v6
@@ -92,4 +151,30 @@ jobs:
           bundler-cache: true
 
       - name: Run nightly fuzz under sanitizers
-        run: bundle exec rake fuzz:sanitize FUZZ_ARGS="--isolated --time 300"
+        run: bundle exec rake fuzz:sanitize FUZZ_ARGS="--target ${{ matrix.target }} --time 300"
+
+  # Nightly: the whole spec suite with Lexbor ITSELF built under ASan (mraw
+  # poisoning on), catching intra-arena overflows that a plain ASan build cannot
+  # see - the class the v3.0.0 :lexbor-contains overflow belonged to. Heavy
+  # (full instrumented Lexbor rebuild), so nightly only.
+  security-sanitize-lexbor:
+    name: Nightly instrumented-Lexbor ASan suite
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Checkout (with vendored Lexbor submodule)
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Ensure cmake is available
+        uses: lukka/get-cmake@latest
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+
+      - name: Build Lexbor under ASan and run the suite
+        run: bundle exec rake "sanitize:lexbor"

data/.github/workflows/valgrind.yml

@@ -0,0 +1,135 @@
+name: Valgrind + GC.compact
+
+on:
+  # Nightly: these jobs are heavy (Valgrind is ~10-50x slower, GC.stress is ~10x
+  # slower) and check structural properties that do not vary by day-to-day code
+  # churn, so run them on a schedule rather than on every push/PR.
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+jobs:
+  # Valgrind memcheck on the full spec suite.  Complements ASan by catching
+  # layout-independent errors ASan misses: use of uninitialised values, and
+  # invalid reads/writes that happen to land inside valid malloc regions
+  # (intra-arena overflows).  Runs on Linux because Valgrind is x86_64/amd64
+  # Linux only.
+  valgrind-memcheck:
+    name: Valgrind memcheck (Ruby ${{ matrix.ruby }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    env:
+      BUNDLE_WITH: valgrind
+      # These heavy jobs verify memory discipline (uninit values, intra-arena
+      # overflows, use-after-move), not the property space - so the full
+      # 300-iteration PBT sweep (already run by the normal CI matrix) is
+      # overkill here and, multiplied by Valgrind's 10-50x slowdown, never
+      # finishes.  A handful of iterations exercises every C memory path while
+      # keeping the run tractable.
+      PBT_COUNT: "15"
+      CSS_PBT_COUNT: "15"
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["3.4"]
+
+    steps:
+      - name: Checkout (with vendored Lexbor submodule)
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Ensure cmake is available
+        uses: lukka/get-cmake@latest
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Compile the extension
+        run: bundle exec rake compile
+
+      - name: Install Valgrind
+        run: sudo apt-get update && sudo apt-get install -y valgrind
+
+      # ruby_memcheck (the `spec:valgrind` rake task) runs the suite under
+      # memcheck. It ships Ruby's Valgrind suppression files itself (matched to
+      # the running Ruby), so there is no longer a ruby.supp to fetch from
+      # ruby/ruby - that path was removed upstream and the fetch step 404'd.
+      - name: Run spec suite under Valgrind (ruby_memcheck)
+        run: bundle exec rake spec:valgrind
+
+  # GC.auto_compact + GC.stress run of the full spec suite.  This structurally
+  # tests the borrowed-pointer discipline under the condition that Ruby Strings
+  # actually move (compaction) and that every allocation triggers a full GC
+  # cycle (stress).  Failures here are typically use-after-move or stale
+  # pointer bugs in the C extension or bridge layer.
+  #
+  # THREADING is deliberately OFF here.  The :threading suite (spec/threading_spec.rb)
+  # is 8 threads x tens of iterations, and forcing the job-level GC.stress onto it
+  # means a full GC per allocation across every thread - which made this job run
+  # for 30+ minutes without finishing.  It also adds little: that suite already
+  # runs in ci.yml (ubuntu/3.4), and its GC-sensitive examples opt into GC.stress
+  # themselves via their own `around` hook, so cross-thread interactions are
+  # covered there.  This job's unique value is the *single-threaded* full suite
+  # under stress+compaction, which catches use-after-move across every code path.
+  gc-compact-stress:
+    # Temporarily disabled, too long
+    if: false
+    name: GC.auto_compact + GC.stress (Ruby ${{ matrix.ruby }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    env:
+      # As in the Valgrind job: GC.stress (a full GC per allocation) makes the
+      # 300-iteration PBT sweep run for hours, and these jobs check memory
+      # discipline rather than the property space, so trim the iteration count.
+      PBT_COUNT: "15"
+      CSS_PBT_COUNT: "15"
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["3.4"]
+
+    steps:
+      - name: Checkout (with vendored Lexbor submodule)
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Ensure cmake is available
+        uses: lukka/get-cmake@latest
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Compile the extension
+        run: bundle exec rake compile
+
+      # GC.stress is scoped to each example via an around hook rather than set
+      # process-wide: under a global GC.stress, even requiring the 88 spec files
+      # runs a full GC per allocation, so loading alone took tens of minutes and
+      # the job never reached the first example.  auto_compact stays global so
+      # objects actually move during those stressed examples (the point of the
+      # job), while loading/collection runs at normal speed.
+      - name: Run spec suite under GC.auto_compact + GC.stress
+        run: |
+          bundle exec ruby -Ilib -e '
+            GC.auto_compact = true
+            require "rspec/core"
+            RSpec.configure do |c|
+              c.around(:each) do |example|
+                GC.stress = true
+                begin
+                  example.run
+                ensure
+                  GC.stress = false
+                end
+              end
+            end
+            exit RSpec::Core::Runner.run(ARGV)
+          ' spec

data/CHANGELOG.md

@@ -5,7 +5,64 @@ All notable changes to this project will be documented in this file.
 The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [0.4.0] - 2026-06-12
+
+### Added
+
+* CSS selectors on `Makiri::XML`. `#css` / `#at_css` / `#matches?`, lowered
+  to the native XPath engine (case-sensitive, namespace-aware). Covers the
+  standard selector set including combinator arguments to `:is`/`:where`/`:not`/
+  `:has`, untyped `:*-of-type`, and `:lexbor-contains`. Verified by a differential
+  against `Nokogiri::XML` plus property-based tests.
+
+* `Makiri::XML::Builder`, a Nokogiri-compatible DSL for building an XML
+  document or subtree from scratch (block / `instance_eval` forms, namespaced
+  elements via `xml["prefix"]`, the `tag.class.id!` attribute short-cuts, raw-XML
+  `<<`, and `.with`). Verified by a differential against `Nokogiri::XML::Builder`.
+
+### Changed
+
+* The XML declaration emits `encoding="UTF-8"` only when the source declared
+  one (or `#to_xml(encoding:)` is passed); built or declaration-less documents
+  now serialize to a bare `<?xml version="1.0"?>`, like Nokogiri (the output is
+  UTF-8 either way).
+
+* Faster XML queries. A document-rooted `//name` / `css("name")` is served
+  from a lazily-built element-name index instead of a full-tree walk (~11x
+  Nokogiri on the benchmark feed); name tests resolve their prefix once per step,
+  and `at_css` / `at_xpath` short-circuit on prefixed name tests.
+
+* CSS class/ID selectors now match case-sensitively in no-quirks documents
+  (case-insensitively only in quirks mode), like browsers and `Nokogiri::HTML5` -
+  via an upstreamed Lexbor fix (see below).
+
+* XPath number parsing now follows the XPath 1.0 `Number` grammar exactly and
+  is locale-independent, matching libxml2/Nokogiri and browsers. C `strtod`'s
+  superset forms are no longer accepted: `1e3` / `0x1A` lex as a Number followed
+  by a name (a syntax error as a full expression, where they previously parsed
+  as 1000 / 26), `number()` returns NaN for exponent/hex/`+`-signed strings, and
+  only XPath whitespace (space/tab/CR/LF, not `\v`/`\f`) is trimmed around the
+  coerced value. Valid literals (`5.`, `.5`, `1.5`) are unchanged.
+
+### Security
+
+* Updated the vendored Lexbor (v3.0.0 -> `3a2d595`), which includes two
+  CSS-selector fixes we upstreamed - class/ID case-sensitivity follows quirks
+  mode, and a prefix-less type selector no longer defaults to the universal
+  namespace - plus a heap-overflow fix in its `:lexbor-contains()` parser
+  (reached from `Node#css`) and other post-v3.0.0 bugfixes. (An untagged master
+  commit, taken deliberately; see CLAUDE.md.)
+
+* Hardened native memory safety. The XML arena is ASan-red-zoned to catch
+  intra-arena overflows, the engines are fuzzed under ASan/UBSan, and buffer
+  growth is bounded by a hard ceiling.
+
+* Extended the lint-enforced bounded-reader (`mkr_span`) discipline to the
+  remaining byte-scanning code: the source-location line table, the XPath
+  string-function scanners (now explicitly length-bounded instead of relying on
+  the NUL contract), and the number parse above. Fixed a borrowed-RSTRING
+  pointer held across a potential GC point in the XML encoding sniffer, and a
+  missing NUL-termination guarantee in the libFuzzer XPath harness.
 
 ## [0.3.0] - 2026-06-06
 
@@ -239,7 +296,8 @@ libxml2 / libxslt dependency at any layer**.
   domxpath, CSS differential vs `Nokogiri::HTML5`). GitHub Actions CI across
   Ruby 3.2–4.0 × Ubuntu/macOS plus a sanitizer job.
 
-[Unreleased]: https://github.com/takahashim/makiri/compare/v0.3.0...HEAD
+[Unreleased]: https://github.com/takahashim/makiri/compare/v0.4.0...HEAD
+[0.4.0]: https://github.com/takahashim/makiri/compare/v0.3.0...v0.4.0
 [0.3.0]: https://github.com/takahashim/makiri/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/takahashim/makiri/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/takahashim/makiri/releases/tag/v0.1.0